HCSEC-2024-28

**Bulletin ID:** HCSEC-2024-28 **Affected Products / Versions:** Boundary Community Edition and Boundary Enterprise 0.8.0 up to 0.18.1; fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2. **Publication Date:** December 12, 2024 **Summary** Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handles HTTP requests during the initialization of the Boundary controller, potentially causing the Boundary server to terminate prematurely or allow an attacker to perform a denial of service attack. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which typically lasts for milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, and 0.18.2. **Background** Boundary consists of two server components, workers and controllers. Workers perform session handling while the controller serves the API and coordinates session requests. The controller, along with handling API requests, is responsible for authentication, authorization, policy enforcement, and logging and auditing of actions within Boundary. **Details** During the initialization of the Boundary controller, functionalities such as logging are gated or paused while Boundary finishes initializing. Once the Boundary controller is ready for operation, Boundary allows these functions to continue. Due to an internal error on how requests are handled, HTTP requests that should normally be dropped during initialization are returned to the Boundary server as an error, causing the server to terminate. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Boundary 0.16.4, 0.17.3, 0.18.2, or newer. Please refer to [Upgrading Boundary](https://developer.hashicorp.com/boundary/tutorials/self-managed-deployment/upgrade-version) for general guidance and version-specific upgrade notes. **Acknowledgement** This issue was identified by the Boundary Engineering team. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*